This post was written with contributions from Chris Caridi and Kat Weinberger.

IBM Security X-Force has been tracking the activity of Black Basta, a new ransomware group that first appeared in April 2022. To date, this group has claimed attribution of 29 different victims across multiple industries using a double extortion strategy where the attackers not only execute ransomware but also steal data and threaten to release it publicly if the ransom demands are not met. The data disclosure element of these attacks takes place on a data leak site available on the Tor network. As a mechanism to apply pressure to coerce the victim to pay the ransom, the operators of Black Basta will gradually release stolen data on the leak site.

The Black Basta group is still in the early stages of their organization and X-Force has not observed any attempts to advertise the malware or hire affiliates on underground forums. Due to operational similarities and the absence of affiliation attempts, it has been reported that Black Basta may potentially be a rebranded version of the Conti gang, a well-known ransomware group that already has affiliates. However, the Conti group announced on May 12 that they had no affiliations with the Black Basta ransomware group. X-Force’s assessment of the possible relationship between these groups is ongoing.

The Black Basta ransomware variant acts at such a high speed that it rarely causes symptoms that would tip off defenders to the compromise before the ransomware has been deployed.

This blog post will detail X-Force’s insights into the Black Basta ransomware, technical analysis of the sample, and indicators of compromise (IoC) to help organizations protect themselves from this malware.

X-Force assessment

Black Basta’s sudden appearance and subsequent high volume of successful compromises highlights the speed with which ostensibly “new” ransomware groups are able to become central figures in the threat landscape. While this group has yet to be linked by X-Force to existing or past ransomware operations, the impact that this group has had in such a short amount of time points to a practiced and effective set of tactics, techniques, and procedures (TTPs) that pose a significant threat to enterprise networks. Based on current intelligence, it does not appear that Black Basta targets specific industries or verticals. However, entities that collect large amounts of data that is attractive for extortion operations such as personally identifiable information (PII), financial information, or other sensitive data, are likely to stand out as lucrative targets for attackers.

We encourage security practitioners to review the IBM X-Force Definitive Guide to Ransomware and the mitigations highlighted below, action available IOCs, and ensure that detections are in place to alert on observed malicious behaviors.

Additional Risk Mitigations:

  • Establish and maintain backup routines, including offline backups. Ensure you have backup redundancy stored separately from network zones attackers could access with read-only access. The availability of effective backups is a significant differentiator for organizations and can support recovery from a ransomware attack.
  • Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.
  • Employ user behavior analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
  • Employ multifactor authentication on all remote access points into an enterprise network — with particular care given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
Download the Definitive Guide to Ransomware

Ransomware analysis details

Behavioral analysis

Behavioral analysis describes the malware behavior observed on a system during execution. Behavioral analysis typically includes actions performed on the system such as files dropped, persistence, details surrounding process execution and any C2 communications. It should be noted that behavioral analysis may not capture all notable malware behavior as certain functions may only be performed by the malware under specific conditions.

Loader

Upon execution, the loader base64 decodes a Black Basta payload using the CryptStringToBinaryA() API function. The decoded payload is then RC4 decrypted using the key “1xJr13puJChWqiMeOnFDDSOmoSmws5n“. Black Basta is then injected into a process instance of the loader and executed in memory. The injected Black Basta sample has a SHA256 hash: ef1382770f820e4b2e65981bb7b3a62d5f93e3b87763f83012ef7f7cb1bc9469 and compile time: Thursday, 28.04.2022 15:15:43 UTC.

Black Basta

Upon execution, Black Basta conducts the following activity:

  • Deletes volume shadow copies using the commands:

C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet<br /> C:\Windows\System32\vssadmin.exe delete shadows /all /quiet

  • Changes the desktop background to the following image using the file %Temp%\dlaksjdoiwq.jpg.

  • Modifies the following registry key to set the desktop background.

HKCU\Control Panel\Desktop\Wallpaper = %Temp%\dlaksjdoiwq.jpg

  • Drops the ICON file %Temp%\fkdjsadasd.ico to the system. This file is used as the default icon for encrypted files. To set the default icon, the ransomware creates the following registry key.

HKEY_CLASSES_ROOT\.basta\DefaultIcon = %Temp%\fkdjsadasd.ico

  • Drops the ransom note readme.txt in directories where it encrypts files. The company id and ransom note is hardcoded in the sample. Example id: 18a6cdad-316c-4922-953e-c64bf4959a74.

Your data are stolen and encrypted<br /> The data will be published on TOR website if you do not pay the ransom<br /> You can contact us and decrypt one file for free on this TOR site<br /> (you should download and install TOR browser first <a href="https://torproject.org">https://torproject.org</a>)<br /> hxxps[:]//aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd[.]onion/

Your company id for log in: <varying id per sample in GUID format>

  • Appends the file extension .basta to encrypted files.

  • Depending on the variant, Black Basta conducts the following activity:
    • Hijacks the existing Fax service to maintain persistence.
    • Disables windows recovery and repair with the command:

C:\Windows\SysNative\bcdedit.exe /deletevalue safeboot<br /> C:\Windows\System32\bcdedit.exe /deletevalue safeboot

  • Reboots the system into safe mode using bcdedit and the shutdown command.

C:\Windows\SysNative\bcdedit.exe /set safeboot network<br /> C:\Windows\System32\bcdedit.exe /set safeboot network<br /> cmd.exe /C shutdown -r -f -t 0

  • The following files and folders are skipped during encryption:

$Recycle.Bin<br /> Windows<br /> boot<br /> readme.txt<br /> dlaksjdoiwq.jpg<br /> NTUSER.DAT<br /> fkdjsadasd.ico<br /> OUT.txt

Static analysis

Static analysis is a deeper dive into the technical analysis of the malware. Static analysis typically includes further details about the functionality, obfuscation or packing in the sample, encryption used by the malware, configuration information or other notable technical detail.

Loader

The injection process for the loader is as follows:

  1. The loader creates a suspended process instance of itself with CreateProcessA().
  2. Then it calls GetThreadContext() to get the thread context of the suspended process.
  3. Next, it calls ReadProcessMemory() to obtain the suspended process’ image base from the Process Environment Block retrieved via the thread context.
  4. The loader proceeds to allocate memory in the suspended process using VirtualAllocEx() and writes the payload to the buffer using WriteProcessMemory().
  5. Finally, it sets the entry point of the injected payload using SetThreadContext() and executes the injected payload using ResumeThread().

Notably, samples similar to loader were found in VirusTotal with the following project paths. The payloads of these samples have not yet been determined.

c4fa34414fb1c199e13d7cd7def0e8f401c9649657a39224bc32310c9fd9d725, C:\BHProject\Treasurer\SharpDepositorCrypter\PELoaderNative\PELoaderNative\Release\PELoaderNative.pdb<br /> f132ffc8648d38833244e612c58224285e85e863a35c872490690217c082e59c, C:\BHProject\Treasurer\SharpDepositorCrypter\PELoaderNative\PELoaderNative\Release\PELoaderNative.pdb

The following samples were compiled under a similar project path but are coded differently.

19c2710e498d55f2e3a3d4126064e960058e32c99dc35944b3fc09aa0eec4754, C:\BHProject\Treasurer\SharpDepositorCrypter\PELoader\PELoader\Release\PELoader.pdb<br /> c5fcd0643823082941bc827613baf0fa574ffd9cb03a8b265d62d657367b2ea2, C:\BHProject\Treasurer\SharpDepositorCrypter\PELoader\PELoader\Release\PELoader.pdb<br /> daa049b15bb5c1d0aef06276f9940d2fea76242f1a01ebfe299a63b7c74f7ea0, C:\BHProject\Treasurer\SharpDepositorCrypter\PELoader\PELoader\Release\PELoader.pdb

Black Basta

Encryption

To start encrypting files, Black Basta calls the FindFirstVolumeW() and FindNextVolumeW() functions to enumerate volumes on the victim system. For each volume, the ransomware calls GetVolumePathNamesForVolumeNameW() to obtain a list of drive letters and mounted folder paths for the specified volume. Analysis indicates that Black Basta uses ChaCha20 encryption during the encryption process. Notably, it is observed that some files are not fully encrypted, possibly in an effort to hasten the encryption process. Black Basta encrypts some files in 64-byte blocks every 128 bytes as shown in the example encrypted notepad.exe file below.

Compile times

The samples’ compile times range from February 2022 to Apr 2022. The earlier samples in February contain a ransom note indicating the malware name is “no_name_software“.

Sample Compile Time
17205c43189c22dfcb278f5cc45c2562f622b0b6280dcd43cc1d3c274095eb90 Thursday, 17.02.2022 00:46:11 UTC
5b6c3d277711d9f847be59b16fd08390fc07d3b27c7c6804e2170f456e9f1173 Thursday, 17.02.2022 00:46:11 UTC
7883f01096db9bcf090c2317749b6873036c27ba92451b212b8645770e1f0b8a Saturday, 16.04.2022 06:29:58 UTC
ae7c868713e1d02b4db60128c651eb1e3f6a33c02544cc4cb57c3aa6c6581b6e Saturday, 16.04.2022 06:29:58 UTC
b3661c6fecf46e6a7b96b3debc7efa65633bfde2f156392ff6506736457361be Friday, 22.04.2022 14:41:00 UTC
5d2204f3a20e163120f52a2e3595db19890050b2faa96c6cba6b094b0a52b0aa Friday, 22.04.2022 20:31:36 UTC
Scroll to view full table

Sample Ransom Note from versions compiled in February:

All of your files are currently encrypted by no_name_software.<br /> These files cannot be recovered by any means without contacting our team directly.<br /> DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,<br /> if you want to try - we recommend choosing the data of the lowest value.<br /> DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. <br /> So it will be better for both sides if you contact us as soon as possible.<br /> DON'T TRY TO CONTACT feds or any recovery companies. <br /> We have our informants in these structures, so any of your complaints will be immediately directed to us. <br /> So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately.<br /> DON'T move or rename your files. These parameters can be used for encryption/decryption process.<br /> To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.<br /> You can contact our team directly for further instructions through our website :<br /> TOR VERSION :<br /> (you should download and install TOR browser first https://torproject.org)<br /> https://aazsbsgya565vlu2c6bzy6yfiebkcbtvvcytvolt33s77xypi7nypxyd.onion:80/<br /> Your company id for log in: c98fa42b-3233-45df-bd7c-42529c44cb70<br /> Your company key: 3 of any of your dc through comma. Example: "DC1, DC2, DC3". You can type less if you have no enough<br /> YOU SHOULD BE AWARE!<br /> We will speak only with an authorized person. It can be the CEO, top management, etc. <br /> In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! <br /> Inform your supervisors and stay calm!

String analysis

String analysis reveals misspelled strings “ERRRRRRRROr” and “ERRRROR“.

The ransomware contains references to the following Windows services:

tokenbroker<br /> cdpsvc<br /> wcmsvc<br /> wsearch<br /> dnscache<br /> iphlpsvc<br /> appinfo<br /> coremessagingregistrar<br /> lsm<br /> vboxservice<br /> brokerinfrastructure<br /> camsvc<br /> keyiso<br /> eventsystem<br /> dcomlaunch<br /> power<br /> samss<br /> lanmanserver<br /> comsysapp<br /> vaultsvc<br /> wuauserv<br /> netsvcs<br /> remoteregistry<br /> sessionenv<br /> termservice<br /> netlogon

X-Force

If you have questions or want a deeper discussion on how IBM X-Force can help you with incident response, threat intelligence, or offensive security services schedule a follow up meeting here:

IBM X-Force Scheduler

If you are experiencing cybersecurity issues or an incident, contact X-Force to help.

US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today